PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for Linux: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production
[oracle@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux
三實驗過程
SQL> create user a identified by a;
User created.
SQL> SQL> grant create session, create procedure,create table to a;
Grant succeeded.
SQL> create user b identified by b
2 ;
User created.
SQL> grant create session, create table, create procedure to b;
Grant succeeded.
SQL> alter user b quota unlimited on users;
User altered.
SQL> alter user b grant connect through a; -- 將a設置爲b的代理用戶
User altered.
SQL> conn a[b]/a --這時用用戶a的密碼就可以登錄用戶B
Connected.
SQL> show user;
USER is "B"
SQL>
SQL> create table test1 (x int);
Table created.
SQL> conn b/b
Connected.
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
TEST1 TABLE
可以看到B用戶下已經建立了表test1
SQL> conn a/a
Connected.
SQL> select * from tab;
no rows selected
而用戶a下沒有建立表test1
這樣我們就基本實現了我們的實驗目的,但還有一個致命的問題。就是在這種情況下代理用戶a可以建立用戶b所能建立的所有對象類型,也就是說如果用戶b擁有建立表和存儲過程的權限,那麼a作爲用戶b的代理用戶也可以建立用戶b的表和存儲過程。
能不能讓用戶a只有建立用戶b表的權限呢,當然有!
結合role我們就可以輕鬆完成這個需求。
SQL> drop user a;
User dropped.
SQL> drop user b cascade;
User dropped.
SQL> create role b_role1;
Role created.
SQL> create role b_role2;
Role created.
SQL> grant create procedure, create session to b_role1;
Grant succeeded.
SQL> grant create table to b_role2;
Grant succeeded.
SQL> create user a identified by a;
User created.
SQL> grant create session, create procedure to a;
Grant succeeded.
SQL> create user b identified by b default tablespace users quota
unlimited on users;
2
User created.
SQL> SQL> grant b_role1 to b;--要完成這個需求我們必須將權限以角色的方式授予給用戶b,並且將create table權限單獨授予一個獨立的角色,然後使用alter user.... connect through.....with role role_name(這裏對應的是b_role2).如果我們給b用戶授權時不使用角色而是直接授權: grant create table, create procedure ,create session to b.那麼執行alter user.... connect through.....with role role_name(這裏對應的是b_role2)後,a用戶仍然可以建立用戶b的存儲過程。
Grant succeeded.
SQL> grant b_role2 to b;
Grant succeeded.
SQL> alter user b grant connect through a with role b_role2;
User altered.
SQL> conn a[b]/a
ERROR:
ORA-01045: user B lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.
SQL> conn / as sysdba
Connected.
SQL> grant create session to b_role2;
Grant succeeded.
SQL> conn a[b]/a
Connected.
SQL> create table test(x int);
Table created.
SQL> create procedure p as begin null; end;
2
3 /
create procedure p as begin null; end;
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL>
SQL> show user;
USER is "B"
可以看到代理用戶a可以建立b的表但不能建立用戶b的存儲過程